Use of username in algorithm

[dobesv]

Maybe this is more of a usage question - but it seems like if a user changes their username their password will be invalidated as a side-effect. The documentation may want to adjust its suggested workflow to one which will allow users to modify their username / email without getting locked out of their account.

I'm not 100% sure of the right approach. I guess when the client sends the first request to the server, it can provide some token back to the client which identifies the user. If this has to be anonymous, the token would seemingly have to be something randomly generated (e.g. not a database user ID). This is kind of redundant with the salt, though, which in principle you could just require each account to have a unique salt and use the salt to find the user in a subsequent request.

[antoine-pous]

Simply ask for the password when updating the login will solve this issue painless and improve the security around personal information edition 😁

[dobesv]

FWIW our workaround is just provide an empty username for purposes of the algorithm. I think there enough other random tokens in the process that the username part of the system is optional.